Get the FREE Ultimate OpenClaw Setup Guide →

trivy

Trivy plugin for starting an MCP server

Installation
Run this command in your terminal to add the MCP server to Claude Code.
Run in terminal:
View docs
Command
claude mcp add --transport stdio aquasecurity-trivy-mcp trivy mcp \
  --env TRIVY_MCP_LOG_LEVEL="info" \
  --env TRIVY_MCP_AQUA_ENABLED="false"

How to use

The Trivy MCP Server Plugin exposes Trivy’s security scanning capabilities through the MCP protocol, enabling natural language queries and multiple scan types within MCP-enabled tools like VS Code, Cursor, JetBrains IDEs, and Claude Desktop. Once running, you can ask questions about vulnerabilities, misconfigurations, and policy compliance across different scopes. The server supports scanning local filesystems, container images, and remote repositories, and can optionally integrate with Aqua Platform for enhanced scanning and assurance policy checks. It also supports flexible transport options such as stdio, streamable HTTP, and Server-Sent Events (SSE), allowing integration with a variety of IDEs and tooling pipelines.

How to install

Prerequisites:

  • Ensure you have Trivy installed and available on your PATH.
  • Ensure MCP tooling is available in your environment (e.g., MCP runtime, CLI).

Installation steps:

  1. Install the MCP plugin for Trivy: trivy plugin install mcp

  2. Verify installation by starting the MCP server: trivy mcp

  3. If you need to customize transport or environment, set environment variables as needed (see additional notes).

  4. Connect your MCP-enabled IDE or tool to the running Trivy MCP server using the server name and transport configured in your environment.

Additional notes

Tips and notes:

  • Transport: The Trivy MCP server supports stdio, HTTP streaming, and SSE. Choose the transport that best fits your IDE or integration setup.
  • Scans:
    • Filesystem: Scan local project directories for vulnerabilities and misconfigurations.
    • Container images: Analyze container image vulnerabilities before deployment.
    • Remote repositories: Assess security posture of remote code repositories.
  • Aqua Platform: If you enable Aqua integration, ensure proper credentials and tokens are provided via environment variables or your deployment platform's secret management.
  • Environment variables: You can adjust logging level or enable/disable Aqua integration using environment variables (examples include TRIVY_MCP_LOG_LEVEL and TRIVY_MCP_AQUA_ENABLED). Replace placeholders with appropriate values for your environment.
  • Troubleshooting: If the server fails to start, verify that Trivy is accessible in your PATH, and that the mcp subcommand is supported in your Trivy version. Check logs for transport binding errors or authentication issues with Aqua if enabled.

Related MCP Servers

mcp -azure-devops

339

An MCP server for Azure DevOps

shortcuts

22

Shortcuts + MCP = ♥️

knowledgegraph

20

MCP server for enabling persistent knowledge storage for Claude through a knowledge graph with multiple storage backends and fuzzy search

har

17

A MCP server for parsing and analyzing HAR (HTTP Archive) files

mcp-cron

17

MCP server for scheduling and running shell commands and AI prompts

mcp -templates

15

A flexible platform that provides Docker & Kubernetes backends, a lightweight CLI (mcpt), and client utilities for seamless MCP integration. Spin up servers from templates, route requests through a single endpoint with load balancing, and support both deployed (HTTP) and local (stdio) transports — all with sensible defaults and YAML-based configs.

Sponsor this space

Reach thousands of developers